Container security

Overview

Containerization allows development teams to move fast, deploy software efficiently, and
operate at an unprecedented scale. As enterprises create more containerized workloads,
security must be integrated at each stage of the build-and-deploy life cycle.
Learn how to secure any container environment you run on GCP—whether that's Google
Kubernetes Engine or Anthos—in three critical areas.

Securing the software supply chain means that container images are safe to deploy. This
is how you make sure your container images are vulnerability free and that the images
you build aren't modified before they're deployed.

Runtime security allows you to identify a container acting maliciously in production
and take action to protect your workload.

Running containers allows you to adopt a fundamentally different security model

Simpler patch management and immutability

Containers are meant to be immutable, so you deploy a new image in order to make changes.
You can simplify patch management by rebuilding your images regularly, so the patch is
picked up the next time a container is deployed. Get the full picture of your environment
with regular image security reviews.

Smaller surface of attack

Containers are meant to run on a much smaller host OS than for a VM, as more is packaged
into the application directly. This minimal host OS reduces the potential surface of attack
for your workload.

Resource and workload isolation

Containers provide an easy way to isolate resources, such as storage volumes, to certain
processes using cgroups and namespaces. With technologies like GKE Sandbox,
you can logically isolate workloads in a sub-VM sandbox, separate from other applications.

Infrastructure security

Container infrastructure security is about ensuring that your developers have the tools
they need to securely build containerized services. These capabilities are typically
built into the container orchestrator, like Kubernetes.
If you use Google Kubernetes Engine,
this functionality is surfaced natively, in addition to other features of Google Cloud.

Audit logging

Networking

On Google Kubernetes Engine, create a network policy
to manage pod-to-pod communications in your cluster. Use private clusters
for private IPs and include Google Kubernetes Engine resources in a shared VPC.

Compliance

Minimal host OS

Google Kubernetes Engine uses Container-Optimized OS
(COS) by default, an OS purpose-built and optimized for running containers. COS is
maintained by Google in open source.

Automatically upgraded components

On GKE, masters are automatically patched to the latest Kubernetes version, and you can use
node auto-upgrade
to keep your security up to date by automatically applying the latest patches for your
nodes.

Customer-managed encryption keys

Users in regulated industries may need to be in control of the keys used to encrypt data
stored in GKE. With customer-managed encryption keys, you can pick a key from Cloud KMS
to protect your GKE persistent disk.

Application layer secrets encryption

By default, Kubernetes secrets are stored in plaintext. GKE encrypts these secrets on disk
and monitors this data for insider access. But that alone might not be enough to protect
those secrets from a malicious application in your environment. Application layer secrets
encryption protects secrets with envelope encryption, with a key you manage in Cloud KMS.

Workload Identity

Your containerized application probably needs to connect to other services, like a database,
to fulfill its duties. To do so, your application first needs to authenticate to them.
Workload Identity uses a Google-managed service account to share credentials for
authentication, following the principles of least privilege for application authentication.

Managed SSL certs

In GKE, HTTPS load balancers need to be associated with an SSL certificate. You can obtain,
manage, and renew these certificates yourself, or have Google automatically obtain, manage
and renew those certificates for you—saving you the burden of renewing (or forgetting to
renew) them yourself.

Software supply chain

Software supply chain is about knowing exactly what's being deployed in your
environment: that you control your applications, from code to image to deployment.
These capabilities are typically built into your CI/CD pipeline, your container registry
— such as Google Container Registry,
and as an admission check before you deploy containers into production.

Secure and managed base images

Google Container Registry provides both a Debian
and Ubuntu
base image, maintained by Google with regular patching and testing. These Google-managed
images have been remediated with the most recently available patches from upstream, so you
can easily keep your images up to date without having to pull from an unknown repository or
maintain the images yourself.

Vulnerability scanning

Deployment policies

On Google Kubernetes Engine, use Binary Authorization
to limit what you deploy into your environment based on an image's attestations. You can
require images to meet requirements defined by you in the form of attestations, or
signatures, before being deployed. Requirements might include scanning the image for
vulnerabilities or verification by the QA team.

Regular builds

Containers can be rebuilt and redeployed regularly, so you can benefit from the latest
patches that are gradually rolled out to your environment.

Runtime security

Container runtime security is about ensuring that your security response team can
detect and respond to security threats to containers running in your environment. These
capabilities are typically built into your security operations tooling.

Anomalous activity detection

Enforce security policies

PodSecurityPolicy is a feature of open source Kubernetes and helps you create guardrails for
your containers by setting constraints on how your pods can run—for example, enforcing
constraints like AppArmor and seccomp.

Isolation

Prevent one malicious container from affecting another one.
GKE Sandbox uses a userspace
kernel to intercept and handle syscalls, adding defense-in-depth to your containers without
changing how developers interact with their applications. GKE Sandbox is based on gVisor,
an open source project created at Google.